public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: add script for renewal of a self-signed cert by Philip Prindeville (#871566)
Date: Tue, 09 Jun 2026 12:42:47 GMT [thread overview]
Message-ID: <178100896768.1.2667870224432910541.rpms-openssl-c67ea975b97c@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : c67ea975b97c39fa52b5d0e24b451ad1156816c5
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2012-12-21T17:21:50+01:00
Stats : +63/-1 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/c67ea975b97c39fa52b5d0e24b451ad1156816c5?branch=rebase_40beta
Log:
add script for renewal of a self-signed cert by Philip Prindeville (#871566)
- allow X509_issuer_and_serial_hash() produce correct result in
the FIPS mode (#881336)
---
diff --git a/openssl-1.0.1c-issuer-hash.patch b/openssl-1.0.1c-issuer-hash.patch
new file mode 100644
index 0000000..f911501
--- /dev/null
+++ b/openssl-1.0.1c-issuer-hash.patch
@@ -0,0 +1,11 @@
+diff -up openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1c/crypto/x509/x509_cmp.c
+--- openssl-1.0.1c/crypto/x509/x509_cmp.c.issuer-hash 2011-06-22 04:18:06.000000000 +0200
++++ openssl-1.0.1c/crypto/x509/x509_cmp.c 2012-12-21 17:18:38.101308997 +0100
+@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
+ char *f;
+
+ EVP_MD_CTX_init(&ctx);
++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
+ ret=strlen(f);
+ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
diff --git a/openssl.spec b/openssl.spec
index 984d1b0..78af27f 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
Name: openssl
Version: 1.0.1c
# Do not forget to bump SHLIB_VERSION on version upgrades
-Release: 10%{?dist}
+Release: 11%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -31,6 +31,7 @@ Source: openssl-%{version}-usa.tar.xz
Source1: hobble-openssl
Source2: Makefile.certificate
Source6: make-dummy-cert
+Source7: renew-dummy-cert
Source8: openssl-thread-test.c
Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h
@@ -46,6 +47,7 @@ Patch8: openssl-1.0.1c-perlfind.patch
Patch9: openssl-1.0.1c-aliasing.patch
# Bug fixes
Patch23: openssl-1.0.1c-default-paths.patch
+Patch24: openssl-1.0.1c-issuer-hash.patch
# Functionality changes
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
@@ -151,6 +153,7 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch9 -p1 -b .aliasing
%patch23 -p1 -b .default-paths
+%patch24 -p1 -b .issuer-hash
%patch33 -p1 -b .ca-dir
%patch34 -p1 -b .x509
@@ -300,6 +303,7 @@ done
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert
+install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/renew-dummy-cert
# Make sure we actually include the headers we built against.
for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do
@@ -431,6 +435,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Fri Dec 21 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-11
+- add script for renewal of a self-signed cert by Philip Prindeville (#871566)
+- allow X509_issuer_and_serial_hash() produce correct result in
+ the FIPS mode (#881336)
+
* Thu Dec 6 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-10
- do not load default verify paths if CApath or CAfile specified (#884305)
diff --git a/renew-dummy-cert b/renew-dummy-cert
new file mode 100755
index 0000000..50f9931
--- /dev/null
+++ b/renew-dummy-cert
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+if [ $# -eq 0 ]; then
+ echo $"Usage: `basename $0` filename" 1>&2
+ exit 1
+fi
+
+PEM=$1
+REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
+KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
+CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
+NEW=${PEM}_
+
+trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
+
+if [ ! -f $PEM ]; then
+ echo "$PEM: file not found" 1>&2
+ exit 1
+fi
+
+let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial | cut -d= -f2)
+let SERIAL++
+
+umask 077
+
+OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
+
+openssl rsa -inform pem -in $PEM -out $KEY
+openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
+openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \
+ -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
+
+(cat $KEY ; echo "" ; cat $CRT) > $NEW
+
+chown $OWNER $NEW
+
+mv -f $NEW $PEM
+
+rm -f $REQ $KEY $CRT
+
+exit 0
+
reply other threads:[~2026-06-09 12:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100896768.1.2667870224432910541.rpms-openssl-c67ea975b97c@fedoraproject.org \
--to=tmraz@fedoraproject.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox